deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Acrolinx: changed "tunnelling" to "tunneling"

Browse Source
This commit is contained in:
Gary Moore 2020-04-07 20:32:27 -07:00 committed by GitHub
parent 052b071cef
commit a0ecd213e4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/identity-protection/vpn/vpn-office-365-optimization.md
View File

@ -17,12 +17,12 @@ ms.author: jajo
# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client
This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunnelling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](https://docs.microsoft.com/office365/enterprise/office-365-vpn-split-tunnel) for the **native Windows 10 VPN client**. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunnelling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunnelling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.
This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions **even when using force tunneling** in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.
> [!NOTE]
> The term _force tunnelling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunnelling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration).
> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-routing#split-tunnel-configuration).
## Solution Overview
@ -30,7 +30,7 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer
Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune).
To enable the use of force tunnelling in Windows 10 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section:
To enable the use of force tunneling in Windows 10 VPN, the `<RoutingPolicyType>` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `<NativeProfile></NativeProfile>` section:
```xml
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
@ -73,7 +73,7 @@ An example of a correctly formatted Profile XML configuration for force tunnel w
## Solution Deployment
For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling.
For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunneling.
This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used.
@ -462,7 +462,7 @@ An example of a PowerShell script that can be used to create a force tunnel VPN
.SYNOPSIS
Configures an AlwaysOn IKEv2 VPN Connection using a basic script
.DESCRIPTION
Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunnelling
Configures an AlwaysOn IKEv2 VPN Connection with proxy PAC information and force tunneling
.PARAMETERS
Parameters are defined in a ProfileXML object within the script itself
.NOTES